The document describes FireCol, a system for detecting distributed denial-of-service (DDoS) flooding attacks. The core of FireCol is composed of intrusion prevention systems (IPSs) located at internet service providers that form virtual protection rings around hosts. The IPSs collaborate by exchanging selected traffic information to detect DDoS attacks early. FireCol was evaluated using simulations and real data, showing its effectiveness with low overhead and support for incremental deployment.

1. FIRECOL
A COLLABORATIVE PROTECTION NETWORK FOR THE
DETECTION OF FLOODING DDOS ATTACKS

2. ABSTRACT:
Distributed denial-of-service (DDoS) attacks remain a major security problem,
the mitigation of which is very hard especially when it comes to highly distributed
botnet-based attacks. The early discovery of these attacks, although challenging, is
necessary to protect end-users as well as the expensive network infrastructure
resources.
In this paper, we address the problem of DDoS attacks and present the
theoretical foundation, architecture, and algorithms of FireCol. The core of FireCol
is composed of intrusion prevention systems (IPSs) located at the Internet service
providers (ISPs) level.
The IPSs form virtual protection rings around the hosts to defend and
collaborate by exchanging selected traffic information. The evaluation of FireCol
using extensive simulations and a real dataset is presented, showing FireCol
effectiveness and low overhead, as well as its support for incremental deployment
in real networks.

3. 1. MODULES:
The core of FireCol is composed of intrusion prevention systems (IPSs)
located at the Internet service provider (ISPs) level. The IPSs form virtual
protection rings around the hosts to defend and collaborate by exchanging selected
traffic information. In this Project Firecol blocked the users, whose creating DDOS
attack in the web application and put that user on block list.
The Modules are as follows
 User Module
 Web Admin Module
 Firecol System
1.1 MODULE DESCRIPTION:
User Module
This module is for the Normal user and Expert user. The Normal user who is
need to post the question. The registered normal user allowed to posting the
question in this application. If any normal user overload the application with
parallel request means it consider as DDOS attack so that user consider as attacker.
The expert user first view the normal user posted question and if that expert users
know the answer for that question means they I will post the solution for
correspond questions.
Web Admin Module
This is a module for website admin, whose developed that application and
uploaded in the server. Admin give the registration form for the users, if any expert
users registered means after the verification admin activate the expert users

4. account. If expert didn’t register in correct manner means web admin put expert
account on hold. Then Web admin get the user full updates from the Firecol. The
admin calculate expert performance and keep the experts ranking records in their
database.
Firecol System:
The core of FireCol is composed of intrusion prevention systems (IPSs)
located at the Internet service provider (ISPs) level. The IPSs form virtual
protection rings around the hosts to defend and collaborate by exchanging selected
traffic information.
In this module the Firecol trace the all users details , when normal users post
the question, Firecol will check the rules if rules matched , Firecol will blocked
the user and put on that user type to Attacker list. Firecol checking the user traffic
details, when one normal user creating more traffic for the web application, Firecol
find that attacker user and add that user to attacker list.
2. EXISTING SYSTEM
 To countering DDoS attacks by fighting the underlying vector which is
usually the use of botnets.
 A botnet is a large network of compromised machines (bots) controlled
by one entity (the master).
 The master can launch synchronized attacks, such as DDoS, by sending
orders to the bots a Command & Control channel
2.1. DISADVANTAGES OF EXISTING SYSTEM

5.  Distributed denial-of-service (DDoS) attacks remain a major security
problem to implementing complex access control policies for accessing
data
 Huge traffic to transit through the Internet and only detect/block it at the
host IDS/IPS may severely strain Internet resources.
 The mitigation of network delay is very hard especially when it comes to
highly distributed botnet-based attacks
3. PROPOSED SYSTEM
 It is performed as close to attack sources as possible, providing a protection
to subscribed customers and saving valuable network resources
 Experiments showed good performance and robustness of FireCol and
highlighted good practices for its configuration
 FireCol: relies on a distributed architecture composed of multiple IPSs
forming overlay networks of protection rings around subscribed customers.
3.1 ADVANTAGES OF PROPOSED SYSTEM
 A future work to plan and extend FireCol to support different IPS rule
structures.
 The core of FireCol is composed of intrusion prevention systems (IPSs)
located at the Internet service providers (ISPs) level.

6.  The IPSs form virtual protection rings around the hosts to defend and
collaborate by exchanging selected traffic information.
4. SYSTEM SPECIFICATION:
HARDWARE REQUIREMENTS:
Processor : Pentium –III
Speed : 1.1 GHz
RAM : 1GB
Hard Disk : 20 GB
Floppy Drive : 1.44 MB
Key Board : Standard Windows Keyboard
Mouse : Two or Three Button Mouse
Monitor : SVGA
SOFTWARE REQUIREMENTS
Front End : ASP.NET
Back End : SQL Server 2005
Operating System : Windows XP/07
IDE : Visual Studio 2008

7. 5. Introduction:
DDOS, short for Distributed Denial of Service, is a type of DOS
attack where multiple compromised systems -- which are usually infected with
a Trojan -- are used to target a single system causing a Denial of Service (DoS)
attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed
attack. In the DDoS attack, the incoming traffic flooding the victim originates
from many different sources – potentially hundreds of thousands or more. This
effectively makes it impossible to stop the attack simply by blocking a single IP
address; plus, it is very difficult to distinguish legitimate user traffic from attack
traffic when spread across so many points of origin.
To avoid these issues, this paper focuses on the detection of DDoS attacks
and per se not their underlying vectors. Although non distributed denial-of-
service attacks usually exploit vulnerability by sending few carefully forged
packets to disrupt a service, DDoS attacks are mainly used for flooding a
particular victim with massive traffic as highlighted in [1]. In fact, the
popularity of these attacks is due to their high effectiveness against any kind of
service since there is no need to identify and exploit any particular service-
specific flaw in the victim. Hence, this paper focuses exclusively on flooding
DDoS attacks. A single intrusion prevention system (IPS) or intrusion detection
system (IDS) can hardly detect such DDoS attacks, unless they are located very

8. close to the victim. However, even in that latter case, the IDS/IPS may crash
because it needs to deal with an overwhelming volume of packets (some
flooding attacks reach 10–100 Gb/s). In addition, allowing such huge traffic to
transit through the Internet and only detect/block it at the host IDS/IPS may
severely strain Internet resources.
The core of FireCol is composed of intrusion prevention systems (IPSs)
located at the Internet service providers (ISPs) level. The IPSs form virtual
protection rings around the hosts to defend and collaborate by exchanging
selected traffic information. The evaluation of FireCol using extensive
simulations and a real dataset is presented, showing FireCol effectiveness and
low overhead, as well as its support for incremental deployment in real
networks.
We are using Firecol System to detect those attacks, which system use to
prevent our server from DDOS attacks. FireCol is designed in a way that makes
it a service to which customers can subscribe. Participating IPSs along the path
to a subscribed customer collaborate (vertical communication) by computing
and exchanging belief scores on potential attacks. The IPSs form virtual
protection rings around the host they protect. The virtual rings use horizontal
communication when the degree of a potential attack is high. In this way, the
threat is measured based on the overall traffic bandwidth directed to the
customer compared to the maximum bandwidth it supports. In addition to

9. detecting flooding DDoS attacks, FireCol also helps in detecting other flooding
scenarios, such as flash crowds, and for botnet-based DDoS attacks.
5.2 SYSTEM IMPLEMENTATION
Implementation is the stage of the project when the theoretical design is
turned out into a working system. Thus it can be considered to be the most
critical stage in achieving a successful new system and in giving the user,
confidence that the new system will work and be effective.
The implementation stage involves careful planning, investigation of the
existing system and it’s constraints on implementation, designing of methods to
achieve changeover and evaluation of changeover methods.
Implementation is the process of converting a new system design into
operation. It is the phase that focuses on user training, site preparation and file
conversion for installing a candidate system. The important factor that should
be considered here is that the conversion should not disrupt the functioning of
the organization.

10. 6. DIAGRAMS:
6.1 FIRECOL ARCHITECTURE:

11. 6.2 Use Case Diagram:

12. 6.3 Data Flow Diagram

13. 6.4 Activity Diagram:

14. 7. LANGUAGE SPECIFICATION
THE .NET FRAMEWORK
The .NET Framework is a new computing platform that simplifies
application development in the highly distributed environment of the Internet.
7.1 OBJECTIVES OF. NET FRAMEWORK:
1. To provide a consistent object-oriented programming environment
whether object codes is stored and executed locally on Internet-distributed, or
executed remotely.
2. To provide a code-execution environment to minimizes software
deployment and guarantees safe execution of code.
3. Eliminates the performance problems.
There are different types of application, such as Windows-based
applications and Web-based applications.
To make communication on distributed environment to ensure that code
be accessed by the .NET Framework can integrate with any other code.
7.2 COMPONENTS OF .NET FRAMEWORK
THE COMMON LANGUAGE RUNTIME (CLR):

15. The common language runtime is the foundation of the .NET
Framework. It manages code at execution time, providing important services
such as memory management, thread management, and remoting and also
ensures more security and robustness. The concept of code management is a
fundamental principle of the runtime. Code that targets the runtime is known
as managed code, while code that does not target the runtime is known as
unmanaged code.
THE .NET FRAME WORK CLASS LIBRARY:
It is a comprehensive, object-oriented collection of reusable types used to
develop applications ranging from traditional command-line or graphical user
interface (GUI) applications to applications based on the latest innovations
provided by ASP.NET, such as Web Forms and XML Web services.
The .NET Framework can be hosted by unmanaged components
that load the common language runtime into their processes and initiate the
execution of managed code, thereby creating a software environment that can
exploit both managed and unmanaged features. The .NET Framework not only
provides several runtime hosts, but also supports the development of third-
party runtime hosts.
Internet Explorer is an example of an unmanaged application that
hosts the runtime (in the form of a MIME type extension). Using Internet
Explorer to host the runtime to enables embeds managed components or
Windows Forms controls in HTML documents.

16. FEATURES OF THE COMMON LANGUAGE RUNTIME:
The common language runtime manages memory; thread execution, code
execution, code safety verification, compilation, and other system services these
are all run on CLR.
 Security.
 Robustness.
 Productivity.
 Performance.
SECURITY:
The runtime enforces code access security. The security features of
the runtime thus enable legitimate Internet-deployed software to be
exceptionally feature rich. With regards to security, managed components are
awarded varying degrees of trust, depending on a number of factors that
include their origin to perform file-access operations, registry-access operations,
or other sensitive functions.
ROBUSTNESS:
The runtime also enforces code robustness by implementing a
strict type- and code-verification infrastructure called the common type system
(CTS). The CTS ensures that all managed code is self-describing. The managed
environment of the runtime eliminates many common software issues.

17. PRODUCTIVITY:
The runtime also accelerates developer productivity. For example,
programmers can write applications in their development language of choice,
yet take full advantage of the runtime, the class library, and components
written in other languages by other developers.
PERFORMANCE:
The runtime is designed to enhance performance. Although the common
language runtime provides many standard runtime services, managed code is
never interpreted. A feature called just-in-time (JIT) compiling enables all
managed code to run in the native machine language of the system on which it
is executing. Finally, the runtime can be hosted by high-performance, server-
side applications, such as Microsoft® SQL Server™ and Internet Information
Services (IIS).
7.3 FEATURES OF ASP.NET
ASP.NET
ASP.NET is the next version of Active Server Pages (ASP); it is a unified
Web development platform that provides the services necessary for developers
to build enterprise-class Web applications. While ASP.NET is largely syntax
compatible, it also provides a new programming model and infrastructure for
more secure, scalable, and stable applications.

18. ASP.NET is a compiled, NET-based environment, we can author
applications in any .NET compatible language, including Visual Basic .NET, C#,
and JScript .NET. Additionally, the entire .NET Framework is available to any
ASP.NET application. Developers can easily access the benefits of these
technologies, which include the managed common language runtime
environment (CLR), type safety, inheritance, and so on.
ASP.NET has been designed to work seamlessly with WYSIWYG HTML
editors and other programming tools, including Microsoft Visual Studio .NET.
Not only does this make Web development easier, but it also provides all the
benefits that these tools have to offer, including a GUI that developers can use
to drop server controls onto a Web page and fully integrated debugging
support. Developers can choose from the following two features when creating
an ASP.NET application. Web Forms and Web services, or combine these in
any way they see fit. Each is supported by the same infrastructure that allows
you to use authentication schemes, cache frequently used data, or customize
your application's configuration, to name only a few possibilities. Web Forms
allows us to build powerful forms-based Web pages. When building these
pages, we can use ASP.NET server controls to create common UI elements, and
program them for common tasks. These controls allow we to rapidly build a
Web Form out of reusable built-in or custom components, simplifying the code
of a page.

19. An XML Web service provides the means to access server functionality
remotely. Using Web services, businesses can expose programmatic interfaces
to their data or business logic, which in turn can be obtained and manipulated
by client and server applications. XML Web services enable the exchange of
data in client-server or server-server scenarios, using standards like HTTP and
XML messaging to move data across firewalls. XML Web services are not tied to
a particular component technology or object-calling convention. As a result,
programs written in any language, using any component model, and running on
any operating system can access XML Web services
Each of these models can take full advantage of all ASP.NET features, as well as
the power of the .NET Framework and .NET Framework common language
runtime. Accessing databases from ASP.NET applications is an often-used
technique for displaying data to Web site visitors. ASP.NET makes it easier than
ever to access databases for this purpose. It also allows us to manage the
database from your code .
ASP.NET provides a simple model that enables Web developers to write
logic that runs at the application level. Developers can write this code in the
global.aspx text file or in a compiled class deployed as an assembly. This logic

20. can include application-level events, but developers can easily extend this
model to suit the needs of their Web application.
ASP.NET provides easy-to-use application and session-state facilities that
are familiar to ASP developers and are readily compatible with all other .NET
Framework APIs.ASP.NET offers the IHttpHandler and IHttpModule
interfaces. Implementing the IHttpHandler interface gives you a means of
interacting with the low-level request and response services of the IIS Web
server and provides functionality much like ISAPI extensions, but with a
simpler programming model. Implementing the IHttpModule interface allows
you to include custom events that participate in every request made to your
application.
ASP.NET takes advantage of performance enhancements found in the
.NET Framework and common language runtime. Additionally, it has been
designed to offer significant performance improvements over ASP and other
Web development platforms. All ASP.NET code is compiled, rather than
interpreted, which allows early binding, strong typing, and just-in-time (JIT)
compilation to native code, to name only a few of its benefits. ASP.NET is also
easily factorable, meaning that developers can remove modules (a session
module, for instance) that are not relevant to the application they are
developing.

21. ASP.NET provides extensive caching services (both built-in services and
caching APIs). ASP.NET also ships with performance counters that developers
and system administrators can monitor to test new applications and gather
metrics on existing applications. Writing custom debug statements to your Web
page can help immensely in troubleshooting your application's code. However,
it can cause embarrassment if it is not removed. The problem is that removing
the debug statements from your pages when your application is ready to be
ported to a production server can require significant effort.
ASP.NET offers the Trace Context class, which allows us to write custom
debug statements to our pages as we develop them. They appear only when you
have enabled tracing for a page or entire application. Enabling tracing also
appends details about a request to the page, or, if you so specify, to a custom
trace viewer that is stored in the root directory of your application. The .NET
Framework and ASP.NET provide default authorization and authentication
schemes for Web applications. we can easily remove, add to, or replace these
schemes, depending upon the needs of our application .
ASP.NET configuration settings are stored in XML-based files, which are
human readable and writable. Each of our applications can have a distinct

22. configuration file and we can extend the configuration scheme to suit our
requirements.
7.4 DATA ACCESS WITH ADO.NET
As you develop applications using ADO.NET, you will have different
requirements for working with data. You might never need to directly edit an
XML file containing data - but it is very useful to understand the data
architecture in ADO.NET.
ADO.NET offers several advantages over previous versions of ADO:
 Interoperability
 Maintainability
 Programmability
 Performance Scalability
INTEROPERABILITY:
ADO.NET applications can take advantage of the flexibility and broad
acceptance of XML. Because XML is the format for transmitting datasets across
the network, any component that can read the XML format can process data.
The receiving component need not be an ADO.NET component.

23. The transmitting component can simply transmit the dataset to its
destination without regard to how the receiving component is implemented.
The destination component might be a Visual Studio application or any other
application implemented with any tool whatsoever.
The only requirement is that the receiving component be able to read
XML. SO, XML was designed with exactly this kind of interoperability in mind.
MAINTAINABILITY:
In the life of a deployed system, modest changes are possible, but
substantial, Architectural changes are rarely attempted because they are so
difficult. As the performance load on a deployed application server grows,
system resources can become scarce and response time or throughput can
suffer. Faced with this problem, software architects can choose to divide the
server's business-logic processing and user-interface processing onto separate
tiers on separate machines. In effect, the application server tier is replaced with
two tiers, alleviating the shortage of system resources. If the original application
is implemented in ADO.NET using datasets, this transformation is made easier.
ADO.NET data components in Visual Studio encapsulate data access
functionality in various ways that help you program more quickly and with
fewer mistakes.
PERFORMANCE:

24. ADO.NET datasets offer performance advantages over ADO disconnected
record sets. In ADO.NET data-type conversion is not necessary.
SCALABILITY:
ADO.NET accommodates scalability by encouraging programmers to
conserve limited resources. Any ADO.NET application employs disconnected
access to data; it does not retain database locks or active database connections
for long durations.
VISUAL STUDIO .NET
Visual Studio .NET is a complete set of development tools for
building ASP Web applications, XML Web services, desktop applications, and
mobile applications In addition to building high-performing desktop
applications, you can use Visual Studio's powerful component-based
development tools and other technologies to simplify team-based design,
development, and deployment of Enterprise solutions. Visual Basic .NET, Visual
C++ .NET, and Visual C# .NET all use the same integrated development
environment (IDE), which allows them to share tools and facilitates in the
creation of mixed-language solutions.

25. In addition, these languages leverage the functionality of the .NET
Framework and simplify the development of ASP Web applications and XML
Web services.
Visual Studio supports the .NET Framework, which provides
a common language runtime and unified programming classes; ASP.NET uses
these components to create ASP Web applications and XML Web services. Also
it includes MSDN Library, which contains all the documentation for these
development tools.
7.5 FEATURES OF SQL-SERVER 2005
The OLAP Services feature available in SQL Server version 7.0 is now
called SQL Server 2005 Analysis Services. The term OLAP Services has been
replaced with the term Analysis Services. Analysis Services also includes a new
data mining component. The Repository component available in SQL Server
version 7.0 is now called Microsoft SQL Server 2005 Meta Data Services.
References to the component now use the term Meta Data Services. The term
repository is used only in reference to the repository engine within Meta Data
Services SQL-SERVER database consist of six type of objects,
They are,
1. TABLE
2. QUERY
3. FORM

26. 4. REPORT
5. MACRO
TABLE:
A database is a collection of data about a specific topic.
VIEWS OF TABLE:
We can work with a table in two types,
1. Design View
2. Datasheet View
Design View
To build or modify the structure of a table we work in the table design
view. We can specify what kind of data will be hold.
Datasheet View
To add, edit or analyses the data itself we work in tables datasheet view
mode.
QUERY:
A query is a question that has to be asked the data. Access gathers data
that answers the question from one or more table. The data that make up the

27. answer is either dynaset (if you edit it) or a snapshot(it cannot be edited).Each
time we run query, we get latest information in the dynaset.Access either
displays the dynaset or snapshot for us to view or perform an action on it ,such
as deleting or updating.
FORMS:
A form is used to view and edit information in the database record by
record .A form displays only the information we want to see in the way we
want to see it. Forms use the familiar controls such as textboxes and
checkboxes. This makes viewing and entering data easy.
Views of Form:
We can work with forms in several primarily there are two views,
They are,
1. Design View
2. Form View
Design View
To build or modify the structure of a form, we work in forms design view.
We can add control to the form that are bound to fields in a table or query,
includes textboxes, option buttons, graphs and pictures.
Form View

28. The form view which display the whole design of the form.
REPORT:
A report is used to vies and print information from the database. The
report can ground records into many levels and compute totals and average by
checking values from many records at once. Also the report is attractive and
distinctive because we have control over the size and appearance of it.
MACRO:
A macro is a set of actions. Each action in macros does something. Such as
opening a form or printing a report .We write macros to automate the common
tasks the work easy and save the time.
MODULE:
Modules are units of code written in access basic language. We can write
and use module to automate and customize the database in very sophisticated
ways. It is a personal computer based RDBMS. This provides most of the
features available in the high-end RDBMS products like Oracle, Sybase, and
Ingress etc. VB keeps access as its native database. Developer can create a
database for development & further can create. The tables are required to store
data. During the initial Development phase data can be stored in the access
database & during the implementation phase depending on the volume data can
use a higher – end database.

29. 8. SYSTEM STUDY
FEASIBILTY STUDY
The feasibility of the project is analyzed in this phase and business
proposal is put forth with a very general plan for the project and some cost
estimates. During system analysis the feasibility study of the proposed system is
to be carried out. This is to ensure that the proposed system is not a burden to
the company. For feasibility analysis, some understanding of the major
requirements for the system is essential.
Three key considerations involved in the feasibility analysis are
 ECONOMICAL FEASIBILITY
 TECHNICAL FEASIBILITY
 SOCIAL FEASIBILITY
ECONOMICAL FEASIBILITY
This study is carried out to check the economic impact that the system
will have on the organization. The amount of fund that the company can pour
into the research and development of the system is limited. The expenditures
must be justified. Thus the developed system as well within the budget and this
was achieved because most of the technologies used are freely available. Only
the customized products had to be purchased.

30. TECHNICAL FEASIBILITY
This study is carried out to check the technical feasibility, that is, the
technical requirements of the system. Any system developed must not have a
high demand on the available technical resources. This will lead to high
demands on the available technical resources. This will lead to high demands
being placed on the client. The developed system must have a modest
requirement, as only minimal or null changes are required for implementing
this system.
SOCIAL FEASIBILITY
The aspect of study is to check the level of acceptance of the system by the
user. This includes the process of training the user to use the system efficiently.
The user must not feel threatened by the system, instead must accept it as a
necessity.
The level of acceptance by the users solely depends on the methods that
are employed to educate the user about the system and to make him familiar
with it. His level of confidence must be raised so that he is also able to make
some constructive criticism, which is welcomed, as he is the final user of the
system.

31. 8 .2 SYSTEM TESTING AND MAINTENANCE
Testing is vital to the success of the system. System testing makes a logical
assumption that if all parts of the system are correct, the goal will be
successfully achieved. In the testing process we test the actual system in an
organization and gather errors from the new system operates in full efficiency
as stated. System testing is the stage of implementation, which is aimed to
ensuring that the system works accurately and efficiently.
In the testing process we test the actual system in an organization and
gather errors from the new system and take initiatives to correct the same. All
the front-end and back-end connectivity are tested to be sure that the new
system operates in full efficiency as stated. System testing is the stage of
implementation, which is aimed at ensuring that the system works accurately
and efficiently.
The main objective of testing is to uncover errors from the system. For
the uncovering process we have to give proper input data to the system. So we
should have more conscious to give input data. It is important to give correct
inputs to efficient testing.
Testing is done for each module. After testing all the modules, the
modules are integrated and testing of the final system is done with the test data,
specially designed to show that the system will operate successfully in all its
aspects conditions. Thus the system testing is a confirmation that all is correct

32. and an opportunity to show the user that the system works. Inadequate testing
or non-testing leads to errors that may appear few months later.
This will create two problems, Time delay between the cause and
appearance of the problem. The effect of the system errors on files and records
within the system. The purpose of the system testing is to consider all the
likely variations to which it will be suggested and push the system to its limits.
The testing process focuses on logical intervals of the software ensuring
that all the statements have been tested and on the function intervals (i.e.,)
conducting tests to uncover errors and ensure that defined inputs will produce
actual results that agree with the required results. Testing has to be done using
the two common steps Unit testing and Integration testing. In the project
system testing is made as follows:
The procedure level testing is made first. By giving improper inputs, the
errors occurred are noted and eliminated. This is the final step in system life
cycle. Here we implement the tested error-free system into real-life
environment and make necessary changes, which runs in an online fashion.
Here system maintenance is done every months or year based on company
policies, and is checked for errors like runtime errors, long run errors and other
maintenances like table verification and reports.

33. UNIT TESTING
Unit testing verification efforts on the smallest unit of software design,
module. This is known as ―Module Testing‖. The modules are tested separately.
This testing is carried out during programming stage itself. In these testing
steps, each module is found to be working satisfactorily as regard to the
expected output from the module.
INTEGRATION TESTING
Integration testing is a systematic technique for constructing tests to
uncover error associated within the interface. In the project, all the modules are
combined and then the entire programmer is tested as a whole. In the
integration-testing step, all the error uncovered is corrected for the next testing
steps.

34. 9. LITERATURE SURVEY
9.1 Title: Worldwide ISP security report
Author: Arbor, Lexington
Description:
Arbor Networks, Inc., in cooperation with the Internet security operations
community, has completed this fourth edition of an ongoing series of annual
operational security surveys. This survey, covering a 12-month period from
August 2007 through July 2008, is designed to provide data useful to network
operators so that they can make informed decisions about their use of network
security technology to protect their mission-critical infrastructures. It is also
meant to serve as a general resource for the Internet operations and engineering
community, recording information on trends and employment of various
infrastructure security techniques.
Operational network securities issues—the day-to-day aspects of security in
commercial networks—are the primary focus of survey respondents. As such,
the results provided in this survey more accurately represent real-world
concerns than theoretical and emerging attack vectors addressed and speculated
about elsewhere.
Key Findings
The ISP Security Battlefront Expands In the last three surveys, ISPs
reportedly spent most of their available security resources combating

35. distributed denial of service (DDoS) attacks. For the first time, this year ISPs
also describe a far more diversified security landscape, including significant
concerns over domain name system (DNS) spoofing, border gateway protocol
(BGP) hijacking and spam. Almost half of the surveyed ISPs now consider their
DNS services vulnerable. Others expressed concern over related service
delivery infrastructure, including
voice over IP (VoIP), session border controllers (SBCs) and load balancers.
Attacks Now Exceed 40 Gigabits From relatively humble megabit beginnings in
2000, the largest DDoS attacks have now grown a hundredfold to break the 40
gigabit barrier this year. The growth in attack size continues to significantly
outpace the corresponding increase in underlying
transmission speed and ISP infrastructure investment. Figure 1 shows the
yearly reported maximum attack size.

36. 9.2 Title: Survey of network- based defense mechanisms countering the DoS
and DDoS problems
Author: T. Peng, C. Leckie, and K. Ramamohanarao
Description:
The Internet was originally designed for openness and scalability. The
infrastructure is certainly working as envisioned by that yardstick. However,
the price of this success has been poor security. For example, the Internet
Protocol (IP) was designed to support ease of attachment of hosts to networks,
and provides little support for verifying the contents of IP packet header fields
[Clark 1988]. This makes it possible to fake the source address of packets, and
hence difficult to identify the source of traffic. Moreover, there is no inherent
support in the IP layer to check whether a source is authorized to access a
service. Packets are delivered to their destination, and the server at the
destination must decide whether to accept and service these packets. While
defenses such as firewalls can be added to protect servers, a key challenge for
defense is how to discriminate legitimate requests for service from malicious
access attempts. If it is easier for sources to generate service requests than it is
for a server to check the validity of those requests, then it is difficult to protect
the server from malicious requests that waste the resources of the server. This
creates the opportunity for a class of attack known as a denial of service attack.

37. 9.3 Title: The zombie roundup: Understanding, detecting, and disrupting
botnets
Author: E. Cooke, F. Jahanian, and D. Mcpherson
Description:
Global Internet threats are undergoing a profound transformation from attacks
designed solely to disable infrastructure to those that also target people and
organizations. Behind these new attacks is a large pool of compromised hosts
sitting in homes, schools, businesses, and governments around the world. These
systems are infected with a bot that communicates with a bot controller and
other bots to form what is commonly referred to as a zombie army or botnet.
Botnets are a very real and quickly evolving problem that is still not well
understood or studied. In this paper we outline the origins and structure of bots
and botnets and use data from the operator community, the Internet Motion
Sensor project, and a honeypot experiment to illustrate the botnet problem
today. We then study the effectiveness of detecting botnets by directly
monitoring IRC communication or other command and control activity and
show a more comprehensive approach is required. We conclude by describing a
system to detect botnets that utilize advanced command and control systems by
correlating secondary detection data from multiple sources. This frightening
new class of attacks directly impacts the day-to-day lives of millions of people
and endangers businesses around the world. For example, new attacks steal

38. personal information that can be used to damage reputations or lead to
significant financial losses. Current mitigation techniques focus on the
symptoms of the problem, filtering the spam, hardening web browsers, or
building applications that warn against phishing tricks. While tools such as
these are important, it is also critical to disrupt and dismantle the infrastructure
used to perpetrate the attacks. At the center of these threats is a large pool of
compromised hosts sitting in homes, schools, businesses, and governments
around the world. These systems are infected with a bot that communicates
with a bot controller and other bots to form what is commonly referred to as a
zombie army or botnet. A bot can be differentiated from other threats by a
communication channel to a controller.
10. CONCLUSION AND FUTURE WORKS
This paper proposed FireCol, a scalable solution for the early detection of
flooding DDoS attacks. Belief scores are shared within a ring-based overlay
network of IPSs. It is performed as close to attack sources as possible, providing
a protection to subscribed customers and saving valuable network resources.
Experiments showed good performance and robustness of FireCol and
highlighted good practices for its configuration.

39. Also, the analysis of FireCol demonstrated its light computational as well
as communication overhead. Being offered as an added value service to
customers, the accounting for FireCol is therefore facilitated, which represents
a good incentive for its deployment by ISPs. As a future work, we plan to
extend FireCol to support different IPS rule structures.
11.REFERENCES:
[1] A. Networks, Arbor, Lexington,MA, “Worldwide ISP security report,” Tech.
Rep., 2010.
[2] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network- based
defense mechanisms countering the DoS and DDoS problems,” Comput. Surv.,
vol. 39, Apr. 2007, Article 3.
[3] E. Cooke, F. Jahanian, and D. Mcpherson, “The zombie roundup:
Understanding, detecting, and disrupting botnets,” in Proc. SRUTI, Jun. 2005, pp.
39–44.
[4] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and
mitigation of peer-to-peer-based botnets: A case study on storm worm,” in Proc.
USENIX LEET, 2008, Article no. 9.
[5] J. Françcois, A. El Atawy, E. Al Shaer, and R. Boutaba, “A collaborative
approach for proactive detection of distributed denial of service attacks,” in Proc.
IEEE MonAM, Toulouse, France, 2007, vol. 11.

40. [6] A. Feldmann, O. Maennel, Z. M. Mao, A. Berger, and B. Maggs, “Locating
Internet routing instabilities,” Comput. Commun. Rev., vol. 34, no. 4, pp. 205–218,
2004.
[7] A. Basu and J. Riecke, “Stability issues in OSPF routing,” in Proc. ACM
SIGCOMM , 2001, pp. 225–236.
[8] V. Paxson, “End-to-end routing behavior in the Internet,” IEEE/ACM Trans.
Netw., vol. 5, no. 5, pp. 601–615, Oct. 1997.
[9] K. Xu, Z.-L. Zhang, and S. Bhattacharyya, “Internet traffic behavior profiling
for network security monitoring,” IEEE/ACM Trans. Netw., vol. 16, no. 6, pp.
1241–1252, Dec. 2008.
[10] Z. Zhang, M. Zhang, A. Greenberg, Y. C. Hu, R. Mahajan, and B. Christian,
“Optimizing cost and performance in online service provider networks,” in Proc.
USENIX NSDI, 2010, p. 3.
[11] M. Dischinger, A. Mislove, A. Haeberlen, and K. P. Gummadi, “Detecting
bittorrent blocking,” in Proc. ACM SIGCOMM Conf. Internet Meas., 2008, pp. 3–
8.
[12] Y. Zhang, Z. M. Mao, and M. Zhang, “Detecting traffic differentiation in
backbone ISPs with NetPolice,” in Proc. ACM SIGCOMM Conf. Internet Meas.,
2009, pp. 103–115.
[13] G. Shafer, A Mathematical Theory of Evidence. Princeton, NJ: Princeton
Univ. Press, 1976.

41. [14] T. M. Gil and M. Poletto, “Multops: A data-structure for bandwidth attack
detection,” in Proc. 10th USENIX Security Symp., 2001, pp. 23–38.
[15] T. Peng, C. Leckie, and K. Ramamohanarao, “Protection from distributed
denial of service attacks using history-based IP filtering,” in Proc. IEEE ICC, May
2003, vol. 1, pp. 482–486
. [16] C. Siaterlis and B. Maglaris, “Detecting DDoS attacks with passive
measurement based heuristics,” in Proc. Int. Symp. Comput. Commun., 2004, vol.
1, pp. 339–344.